NNRU, a noncommutative analogue of NTRU 



Nitin Vats 

Indian Institute of Science, Bangalore, India 
nitinvatsaOgmail . com 



Abstract. NTRU public key cryptosystem is well studied lattice-based 
Cryptosystem along with Ajtai-Dwork and GGH systems. Underlying 
NTRU is a hard mathematical problem of finding short vectors in a cer- 
tain lattice. (Shamir 1997) presented a lattice-based attack by which he 
could find the original secret key or alternate key. Shamir concluded if 
one designs a variant of NTRU where the calculations involved during 
encryption and decryption are non-commutative then the system will 
be secure against Lattice based attack. This paper presents a new cryp- 
tosystem with above property and we have proved that it is completely 
secure against Lattice based attack. It operates in the non-commutative 
ring M = A/fc(Z)[X]/(X" - hxk), where M is a matrix ring of fc x fc 
matrices of polynomials in R = — 1). Moreover We have got 

speed improvement by a factor of 0(fc^"^'') over NTRU for the same bit 
of information. 

Keywords: public key cryptosystem, NTRU, lattice based cryptosystem 



1 Introduction 

The first version of NTRU was proposed by (HofFestein 1996). It has been as- 
sessed recently as the fastest public key cryptosystem [J. Its strong points are 
short key size, and speed of encryption and decryption. Two assets of crucial 
importance in embarked application like hand held device and wireless systems 
. The description of NTRU system is given entirely in terms of quotient ring of 
Integer polynomials. The most expected attack on this system is Lattice-based 
attack. The NTRU public key cryptosystem [T] relies for its security on the 
presumed difficulty of solving the shortest [7l 12] and closest vector problem in 
certain lattices related to the cyclotomic ring Z[X]/(X" — 1). Lattices have been 
studied by cryptographers for quite some time,both in the field of cryptanalysis 
and as a source of hard problems on which to build encryption schemes [1]. 

By lattice attack our aim is to find the original key or an alternative key 
which can be used in place of original key to decrypt ciphertext with some 
more computational complexity^. We construct a lattice whose elements will 
corresponding to alternative key. If we get a vector as short as original key, we 
can easily decrypt but even if we find a vector that is two or three times bigger, 
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we can partially decrypt it by adding the pieces to get the whole. So added 
security can be achieved by increasing the dimensions of the lattice but it will 
decrease the speed for encryption and decryption that is the key property of 
NTRU. 

In this paper we present another variant of NTRU, we will call it NNRU. 
Our focus involves extension to noncommutative groups instead of using group 
algebra over Z„(that is, the ring Zg[X]/(X" — 1) ). 

NNRU operates in the ring of fc by fc matrices of fc^ different polynomials 
in i? = Z[X]/(X" — 1) ). As matrix multiplication in NNRU is strictly non- 
abelian. Adversary will have to find out two ring elements. So search space will 
be square times than that of NTRU. In section 5 we have shown that NNRU 
is completely secure against lattice attack that was more likely on NTRU and 
its varients.We can compare an instance of NTRU by putting n(fc^) = TV . 
Encryption and decryption in NTRU needs 0{N'^) or 0{nk^) operations for a 
message block on length of N but in NNRU for same bit of information we need 
0(nfc^'^^^) operations if we use coppersmith algorithms for matrix multiplica- 
tion, that is considerable speed improvement over original NTRU. Inversion of 
polynomial matrix can be done quickly with less memory-expense by the algo- 
rithm suggested in [281 . Moreover polynomial matrix computations can be solved 
in 0(nfc'^)by reducing polynomial matrix multiplication to determinant compu- 
tation and conversely, under the straight line model f27'. Here O denotes some 
missing log{nk) factors and e is exponent of matrix multiplication over R. 

The paper is organized as follows. Section 2 gives some notation and norm 
estimation, that help our analysis . In section 3 we briefly sketch NNRU cryp- 
tographic system. In section 4 we discuss constraints for parameters. Details of 
the security analysis of NNRU system is given in sections 5. Section 6 shows 
performance analysis and comparison with NTRU. 

2 Notations 

All computations in NNRU are performed in the ring M = A4(Z)[X]/(X"- - 
Ikxk), where M is a matrix ring of fc x fc matrices of elements in the ring R = 
Z[X]/(X" — 1). An element ao + aix + ... + a„_ia;"~^ of R can be represented as 
n-tuplc of integers [oq, ai, a„_i]. Addition in R is performed componentwise, 
and multiplication is a circular convolution. 

2.1 Norm Estimation 

We define width of an element A/ e M to be 

Hoc = Max(coeff.in polys. to S M) — Min(cocff.in polys. to G M) 

The width of matrices M e M is difference between maximum and minimum 
coefficient in any of fc^ polynomials of it. We say a matrix M e M is short if 



\\M\U<p. 
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The width of the product of two matrices is also be short as it is very less than 
g, though it may be slightly more than p. We define width of the polynomial 
r e i? to be 

\\r\\oo = Max(coefi'. in r) — Max(coeff. in r) 
Similarly the polynomial r is said to be short if 

Ikll- < p. 

Basically width of M or r is a sort of L°° norm on M or i? respectively. In 
this paper we are essentially using all calculation on the norm to produce 
an estimate of its L°° norm. For precisely evaluating the properties we need to 
estimate L°° but norm is comparatively easy to estimate. We are giving a 
proposition between L°° and norm by which we can do all calculations on 

norm and estimate on norm. It is based on experiments and suggestions 
due to Don Coppersmith[l] 

Let ||r|| be the norm for a random polynomials r. Then following propo- 
sition is true for random polynomials ri , r2 G R with small coefficients . 

Iki * ?'2|| ~ ||''ilMk2|| 

and Iki * r2|| oo ~ 7lki||-|k2|| where,7<0.15 for n < 1000. (1) 
Now we define a centered norm on M.We denote it by the notation ||A/||. 



11^^11 = ,/ E E(Coeff.inm-M)2) 

y (polys. meAf) 

where fJ- = (E(poiys.meM) E(Coefr. in mj^ is the average of ah coef- 
ficient in all the polynomial in matrices M. Its value will be close or equal to 
zero. Equivalently ||A/||/Vnfc^ is standard deviation of the coefficients of the 
polynomials in M g M. In this paper we do analysis on centered norm of M 
and can deduce results on L°° norm by using result (1). 

The proposition (1) can be extended to the centered norm on M. Consider 
any k > there are constants 71 , 72 > and two matrices Mi , M2 € M We 
therefore express 

||Mi*Af2|| - IIM1II.IIM2II 
and 7i||Mi||.||A/2|| < ||Afi ^Malloo < 72||Mi||.||M2|| (2) 

On the basis of experimental evidence and due to Don Coppersmith Ij, The 
preposition holds good with probability greater than 1 — k for small k. It can 
be shown experimentally that even for larger value of nk^, the value of 71/72 is 
somewhat between zero and one (moderately larger than zero). 
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2.2 Sample Spaces 

NNRU cryptosystem depends on four positive integer parameters (n, k,p,q) with 
p and q relatively prime and four sets of matrices {Lf,Lc,L^,Lm) C M. Note 
that q will always be considered much larger than p. In this paper, for case of 
explanation, we stick to ^> = 2 or 3, and q ranges between 2* to 2^^. When we 
do Matrix multiplication modulo p (or q), we mean to reduce the coefficients of 
the polynomial in matrices modulo p (or q). 

The set of matrices {Lf,Lc,L^,Lm) consists of all matrices of polynomi- 
als in the ring R = Z[X]/(X" — 1). The set of matrices {Lf,Lc,L^) contains 
polynomials from the set of polynomials L{di,d2) 

L{di,d2) ^= {u e R \u has di coeff. equal 1,^2 coeff. equal — 1, and rest 0}. 
where, di = d2 < n/2 or di = ^2 ~ n/p 

The space of message consists of all matrices of polynomials with coeffi- 
cients modulo p. We therefore express 

Lm '= {M G M I polynomial in M has coeff. lying between — and ^^}. 

Here wc explain individually the meaning and compositions of the all four 

sets of matrices {Lf,Lc, L^, Lm) C M: 

1. Lf with elements / and g, and with elements consist of small matrices 
of polynomials / and g, are used to compose private key while (p will be used 
as blinding value for each encryption. Lf must satisfy the requirement to 
have inverse modulo p and modulo q. 

2. element w and c belongs to matrix set Lyj and Lc respectively. Lc should 
satisfy the requirement that to have inverse modulo p . w and c are used to 
construct public key. 

3. the set of message L^ consist of matrices of polynomials with coefficients 
modulo p .We therefore express 



3.1 Key Creation 

To create a NNRU public/private key pair Bob randomly chooses /, g E Lf and 
w G Lyj and c G Lc- Matrices / must satisfy additional requirement to have 
inverse modulo p and q. Matrices g and c should have inverse modulo p . We 
denote these inverses by notation Fp, Fq, Gp, Cp respectively. 
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The NNRU System 



f Fq = /(modg) and g Gp = /(modp) 
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Gq g = /(modg) and Cp c = /(modp) 
Bob next computes the matrices 



h = wGq (modg) 
H = FqC (modg) 



(3) 
(4) 



Bob publish the pair of matrices (h, H) <E M as his public key, retaining 
(/, g, c) as his private key. Polynomial Cp and Gp is simply stored for later use. 

3.2 Encryption 

Suppose Alice(the encryptor) wants to send a message to Bob (the decryptor). 
Alice selects a message m from the set of plaintext Lm- Next, Alice randomly 
choose a matrices </> G and use, Bob's pubhc key {h,H) to compute (the 
ciphertext e) 



Alice then transmit e to Bob. A different random choices of blinding value 
is made for each plaintext m . 

3.3 Decryption 

To decrypt the cipher text, Bob first compute 



Where he choose the coefficients of the polynomials of the matrices A to lie 

in interval of —q/2 to q/2 . Why decryption works? Matrices (p, g, f, m, c and 
w have polynomials with small coefficients and p is much smaller than q. It is 
highly probable for the appropriate parameter choice of the members, matrices 
pf(f>w+cmg, before reducing mod q, has polynomials with coefficients of absolute 
value less than q/2. Bob next computes the matrices B 



He reduces each coefficient of the element of A to modulo p . Finally Bob uses 
his other private keys Cp and Gp to recover the original message. 



e = pcph + Hm (modg) 



A = feg (modg) 

A = f{p4>h + Hm)g (modg) 

A = fp4>hg + fHmg (modq) 

A = pf(t>wGqg + fFqCmg (modg) 

A = pfcfm + cmg (modg) 



B = A{modp) 
B = CTOg(modp) 



C = CpC'mgGp{m.odp) 
C = m(modp) 
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The matrix C will be the original message m as 

polynomial m m G I ^ — — ^ — ) — ^ 

4 Parameter Constraint 

Our selection is based on the following three requirements 

1. f(j)w and cmg should be small in order for decryption to work. 

2. Appropriate selection of f, g and c prevent a private key attack. 

3. Appropriate selection of cf) and m prevent plain text attack. 

The key point is that decryption will only work if f(t>w and cmg are not too 
large so we want to keep \pf4>w + cmg\oa should be small. For security reasons, 
it is important that w, remains secret from attacker. On average |w;| « \m\. this 
type of selection follows 

\pf(l)w\ « \cmg\ 

As already described that we are selecting /, g from Lf, c from Lc and w 
from L-uj , m from i,,,, which gives di = d2 ~ n/p ; that ensure to maximize the 
number of possible choices for polynomials of these matrices. 



5 Cryptanalysis 

5.1 Brute Force Attacks 

To decrypt the cipher text, attackers need to know the private key /, g and c 
correctly. Attacker can try all possible f^g £ Lf so that hg (modg) should have 
polynomials with small entries or by finding all 5 G i/ and testing if f H ( mod q) 
have polynomial with small entries. Out of these small f H (modq), one will be 
c (modg). So attacker need to search pair of {f,g). f and g are determined by 
2fc^ polynomials, each of them having maximum degree (n — 1). so the number 
of possible (/, g) pairs are 

n: 

Key Security : 



(n-2d/)!d/!2 

Here df and are defined by assuming Lf and L^ contains polynomials 
from the set of polynomials L{df,df) and L{d^,d^) respectively. By analogy, 
the same attack can also be done against a given message by testing all possible 
4> G L^ and search for the matrices e — 0/i(modQ) which contains polynomials 
with small entries. So individual message security is defined by 

r I n 2fe^ 

Message Security = ^ 

A meet-in-middle attack was proposed by Andrew Odlyzko [13] for NTRU 
and developed by Silverman. This attack can also be used against NNRU. The 
attack need a lot of storage capacity and cut the search time by the square root. 



NNRU, a noncommutative analogue of NTRU 7 

5.2 Multiple Transmission Attack 

This attack works if Alice sends a single message m several time using same 
public key but different blinding values 0's, then the attacker eve can get the 
maximum bits of the message. 

suppose Alice transmit the massage 

Ci = (j)ih + Hm{modq) 

for 1 = 1,2 r 

eve can compute (cj — ei) * /i~^(modg). therefore recovering — (/)i(modQ'). 
If r is of moderate size (say 5 or 6), eve will recover enough bits of (j)\to apply 
brute force to the rest of the bits. As polynomial of <p have small cocifficicints 
so eve will recover exactly — 4>i, and in the way eve will recover many of 
coefficients of polynomial of 0i 

due to this attack we suggest not to use multiple transmission with further 
scrambling of particular (underlying) message. However this attack will work 
for a single message(tha has been multiple transmitted)not for any subsequent 
message. 

5.3 Lattice Attack 

The Decryptor computes 

A = feg = pf(f)'w + cmg (modg) 

parameter are chosen so that both pfcfm and cmg are small enough to guar- 
antee the entries of non modular expression 

B = pf(f>'w + cmg (modg) 

lies between —q/2 and q/2 most of the time. In this case decryptor can switch 
to compute modulo p from computing modulo q and can calculate message. 

m = CpBGp (modp) 

wc can estimate bounds on the elements of B provided correct decryption. De- 
cryption will work only when B is equal to pf4>w + cmg, not mere congruent to 
modulo q. Using result(2)we can say the following 

II pf4>w ||«p II f \\\\(t> nil w II 

II cm^lNllc nil million 
Assuming vectors pfcjnv and cmg to be nearly orthogonal, we can write 



(5) 
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decoding will fail if any coefficient of polynomial of B will more than q/2 
in absolute value. Make the second assumption that the entries of polynomials 
in matrices B are normally distributed with mean zero and standard deviation 
a « jy^j^2 ■ Analogues to shamir's results for NTRU J^, Experiments suggests 
the fact that the probability of correct decoding is high for small ratio of a to 
q/2. We can say that reliability of decoding is directly proportional to the ratio 
of fT « 1^ to q 

Equation (5) gives an estimate of the value of B in terms of f,w,c and g. 
Let us consider the case in which attacker can use an alternate matrices /' in 
place of original / and g' in place of g. Upon calculate from a value of w' from 
equation (3) and c' from equation (4), an estimate of || B' \\ can be calculated 
by equation (5). If this || B' \\ is comparable to || S ||, then it is not tough to 
recover message using /' and g' so consider 

\\Br^p'\\frur\\wr +\\cr\\mr\\gr 

Assume || || and || m || to be held constant at a typical value, and putting 
A =11 771 II /p II II , putting the value of A in above equation, we therefore left 
with 

= ^ - i'^^f] (II /' f II II V A^ll c' f\\ 11^) 

We can attack this cryptosystem if we can make a lattice L in which squared 
norm of an element being 

ii/ii'ii^f + iicini5ii' 

In other words if we can construct a lattice from public key pair h, H in 
which vector {fw, eg) lies or if we show vectors fw and eg to be same linear 
transformation of public key vectors. In following analysis we show that we 
can't make such lattice that will generated by public key and contain vectors 
{fw,eg). 

Encrypted message is left multiplied by / and right multiplied by g. fw and 
eg are produced by following transformation on public keys. 

Tjjl) -.l^fg 
We can define Tf^g : M ^ M he the linear map 



h I— > fhg or h i-^ fw 
H I— > fHg or H eg 



(6) 
(7) 
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For further analysis Let us consider the definition of a lattice. Let IR"* be the 
m-dimensional Euclidian space. A lattice in IR^is the set 



L{bi,b2,bs, ■ 



li=l ) 

of all integer combination of n-linear independent vectors {61, 62, 63, , 6„} 

in ]R'"(m > n). Here we try to make a Lattice of dimensions 2nfc^ x 2nfc^ with 

basis vectors produced by the cyclic shift of the coefficients of polynomial of the 
matrices h and H . Attacker can crack the system provided the Lattice contains 
vector {fiu,cg). 

One can conclude by linear transformation shown in equation (6) and (7) that 
the lattice attack is possible if and only if one can make a lattice with public 
key vectors {h, H) which contains vector {fw, eg) or if following transformation 
is linear 



{h, H) ^ {fw, eg) 



(8) 



In following analysis we show transformation h 1— > fhg is not linear. Similarly 

it follows H fhg and {h, H) {fw, eg) can not be linear. 

Consider the multiplication of the matrices f.h.g = fw, where each matrix 
(/, g, h, fw)havmg short polynomials as elements 



fk 



/fe(fe-i) • • • /fe2 



hi 



hk 



hk(k-i) ■■■ 



91 ■■■9k 



,9k(k-i) ■■■ 9k'^ 



fwi,i ■ ■ ■ fwi^k 



fWk,l ■ ■ ■ fWk,k 



{fw)i,i = .91 + gk+ifih2 + 52/C+1/1/13 H \- 9k{k-i)+ifihk + 9ihhk+\ 

+ 1- 9k(k-i)+ihh2k H 1- 9k{k-i)+ifkhk2 

(/W^)l,2 = 92 flhl + + 5fe(fe-l)+2/fe/i/c2 

{fw)k,k = gk hifk(k-l) + l + 92kh2fk{k-l) + l + ' ' ' + 9k'^hkfk{k-l) + l "I gk^hi-^fk^ 

So general term can be represented as 

ki k— 1 

XI X^/((5i+«fe) (/i(i+s)(i-fe(i-i))) 

l=k(i-V)+l s=0 



Uw)i,i 



or, we can represent {fw)ij = ^ fu9vhz = J2 Uzhz where, u, v, and z are 
according to the relationship shown above, 



Here i,j e [1 fc^]; u,v€[l k'^]; z e [1 fc^] 
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As all Uz are different so we can not find a row vector Si = (si, S2, , s^a ) 

that will produce vector fw on multiplying with a Lattice represented by the 
cyclic shift of the coefficients of polynomial of h. In other words if column vectors 

vi,V2, Wnfc2 are the basis of lattice L{vi,V2, v^k^), then we will have 

to multiply different vector Si to each column vector Vi to get fw. We therefore 
conclude 

fw ^ Si L{vi,V2, W„fc2) 

Thus we proved that one cannot make a lattice by h and H, which contains 
the vectors (fw, eg). So lattice attack will not work for this cryptosystem unlike 
NTRU[T] and its variants [H]. 



6 Comparison of Security and Speed of NNRU with 
Other Variants of NTRU 

Many variants of NTRU have been introduced till date. We present NNRU as 
the only variant of NTRU which operates in non-commutative ring. It is com- 
pletely secure against Lattice attack. Moreover it gives speed improvement over 
NTRU. Brief of other variants are as follows. 

1. Variant with non-invertible polynomial [25]: It operates in ring 
Z[X]/{X^ — 1) . Size of public key and encryption time is roughly doubled 
than NTRU. It is likely to be more robust against Lattice attack but not proved. 

2. MaTRU [2]: It operates in a ring of k x k matrices of polynomials in 
R = Z[X]/(X" — 1) but decryption is not non-commutative. Speed improvement 
is achieved by a factor of 0{k). It gives no added security against lattice or other 
attacks in comparison with NTRU. 

3. CTRU 24 : It is analogue of NTRU, the ring of integers replaced by the 
ring of polynomials IF2 [T] . It has been completely cracked by linear algebra at- 
tack. 

As [IS] is slow and [23] is completely cracked so it is obvious to give more 
attention to the study of security aspect of MaTRU. Here we present meet-in- 
middle attack on MaTRU and show that the MaTRU system is not more robust 
against this attack compare to NTRU. This attack can't be operated on NNRU 
because calculations involved in decryption are non-commutating. [26j shows 
meet-in-middle attack on NTRU. We show that similar attack can be applied 
on MaTRU. 

Applying same notations as in [M] let us consider Second block of MaTRU 
Lattice [14]. 
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h 

/t> 1 
/i> 2 



/i > fc^ - 1 I 

nk^ coefficients of w can be acfiieved by multiplying row vector 7 to matrix h. 
Idea is to search for 7 in the form 71II72, where 71 and 72 are each of 
length with d/2 ones and "||" denotes concatenation, and then to match (71 * h) 
against (—72 * h)^ looking for (71, 72) so that the corresponding coefficients have 
approximately the same value. The above relationship can be written as 

^ (71 * h), = {0, 1} - (72 * h)., (mod(7)Vj 

where, the notation denotes the i*'' entry in a. 
This equation is similar to what we get for NTRU 

^ (/i * h), = {0, 1} - {h * h\ (mod(7)V, 

We can operate the attack same as |26J. Assuming nk'^ = N and d are number 
of ones in 7. Similar to |26j, One can easily find that the expected running 
time and storage space required for this method (this value is equal to what 

we get for NTRU)is iy^^j'^^l^^' Further one can also apply meet-in-middle 

attack on MaTRU followed by Linear algebra attack. Lattice in [M] can also be 
represented as modular equation 7(2;) * h{y) = ui(mod(7)(mod(y'^ — 1)). It can 
also be written as 

7(y) * h{y) = w + qu 

where, u = uq.o + "0,1 + • • • + Uk~i,k-iy''^^^ and, utj e Z[X]/(X" — 1). Above 
system of linear equations consist of 3nk^ — 1 variable in nfc^ — 1 linear equations. 
If nk^ — 1 is not fairly large than the system of linear equations can be used to 
reduce an exhaustive search to a space of size 2"''' further one can set up a 
meet in middle search to reduce the running time to 0(2'"*'' ~^)/^). 

7 Performance Analysis and Comparison with NTRU 

Here we present the theoretical operating specification of NNRU and compare 
the complexity of different operation with standard NTRU PKCS. NNRU cryp- 
tosystem depends on four positive integer parameters {n,k,p,q) with p and q 
relatively prime and four sets of matrices (L/, Lc, L^, Lm) C M .The properties 
of NTRU [1] is defined in terms of parameters (iV, p, q) . We compare two systems 
for the same size of plaintext blocks by setting N = nk"^ . 



w [moAq) 



7o,o 
70,1 



7*:-l,fe-l 
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Characteristics 


NTRU 


NNRU 


Plain text Block 
Encrypted Text Block 
Encryption Speed 
Message Expansion 
Private Key Length 
Public Key Length 

Lattice Security 


N log2 p bits 
N log2 q bits 
0{N^) operations 
logp gr to 1 
2N log2 p bits 
N log2 q bits 

^ 3Nq^ ) 


nk^ log2 p bits 
nfe^ log2 q bits 
0{'n?k^) operations 
logp g to 1 
2nk^ log2 p bits 
2nk^ log2 g bits 

Totally secure against lattice attack 



"'^Since NNRU perform two-sided multiplication during decryption process, 
so constant factor will about twice that of standard NTRU 

^ For message security dg will be replaced by d for NTRU and df to d^ for 
NNRU Cryptosystem 

If we compare the size of public/private key, NNRU needs two public keys 
each of them is double in length that of NTRU public key while the size of private 
key is same. NNRU gives significant speed improvement over standard NTRU. 
We can compare an instance of NTRU by putting ri(fc^) = N . Encryption and 
decryption in NTRU needs 0{N'^) or 0(nk'^) operations for a message block 
on length of N . In NNRU the same bit of information requires 0{nk^-^^'') or 
0(nfc^'^^^) operations if we use Strassen's or coppersmith algorithms for matrix 
multiplication respectively. We can further reduce the number of operations if 
we use EFT for polynomial multiplication. In this case it will be as small as 
O(fc^'^^^nlogn), which is considerable speed improvement over original NTRU. It 
is faster than RSA which needs 0(A^'^)operations for encryption and decryption. 



8 Conclusion 



Our motivation for NNRU results from various suggestions given by Shamir and 
other researchers in their papers for extensions to non-commutative groups. We 
studied NTRU over ring F2(T)[X]/(X" - 1) but we found that, the variant [21] 
is secure against Popov Normal Eorm attack but completely insecure against 
linear algebra based attacks . Here we follow group algebra over strictly non- 
commutative groups. Lattice attack is biggest threat to NTRU. It is expected 
that new lattice reduction technique will be discovered over time and will be able 
to reduce number of arithmetic operations involved in it. It is natural to study 
an analogue of NTRU in the given context and find the possibilities in terms of 
security against Lattice attack and any improvement in terms of speed. NNRU 
is completely secure against Lattice attacks with significant speed improvement. 
Further research can be done in the direction of finding the possibilities of any 
other type of attack or further improvement and generalization of NNRU Cryp- 
tosystem. 
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